Cybersecurity – Technology Transactions Todayhttps://www.techtransactionstoday.com
Insights, tips and trends in technology transactions from the country’s leading technology lawyersMon, 18 Feb 2019 09:00:39 +0000en-UShourly1https://wordpress.org/?v=4.9.9https://emergingcompanyexchange.foleylardnerblogs.com/wp-content/uploads/sites/5/2018/04/cropped-foley-site-icon-32x32.pngCybersecurity – Technology Transactions Todayhttps://www.techtransactionstoday.com
3232Can owning your company's encryption lead to better security?https://www.techtransactionstoday.com/2019/02/18/can-owning-your-companys-encryption-lead-to-better-security/
https://www.techtransactionstoday.com/2019/02/18/can-owning-your-companys-encryption-lead-to-better-security/#respondMon, 18 Feb 2019 09:00:39 +0000https://www.techtransactionstoday.com/?p=2397
While the current vendor environment clearly poses significant challenges and risks to businesses entrusting them with their data, use of encryption can, at least in many cases, materially mitigate that risk. The devil, however, is in the details … I previously wrote several posts about the somewhat dire state of the world with regard to...… Continue reading this entry]]>

While the current vendor environment clearly poses significant challenges and risks to businesses entrusting them with their data, use of encryption can, at least in many cases, materially mitigate that risk. The devil, however, is in the details …

I previously wrote several posts about the somewhat dire state of the world with regard to information security in vendor and supplier relationships. In particular, I noted the growing trend by vendors to decline material liability for security breaches – even in cases of gross negligence and willful misconduct. I also wrote most recently about how vendors are subcontracting key elements of their services to third party cloud providers and then disclaiming all liability for them. In the past, the vendor would have simply agreed they are responsible for such cloud providers as their subcontractors. Today, however, a number of vendors are taking the position they will assume little or no liability for the cloud providers they choose to use. The foregoing trends have led to a significant diminution in information security protections for businesses in their vendor relationships.

The question before us today is “what can a business do in this new vendor environment to mitigate risk?” The answer is not very palatable. Let’s return to the old and well-worn acronym of “CIA.” It is one of the cornerstones of information security. CIA stands for Confidentiality, Integrity and Availability. In the current vendor environment, it is frequently not possible to achieve all three of these components, but the use of encryption may provide at least a partial solution to two of them: confidentiality and integrity.

Now I am well aware that many vendors offer encryption as part of their services. But, lets look a little closer at exactly what they are offering. The typical conversation with a vendor goes something like the following:

Customer: I am concerned that you are refusing to assume any real liability for data breaches. If there is a breach, your liability is limited to a trivial amount.

Vendor: Do not be concerned at all. We have structured our services so that there is no possibility of a data breach. We use encryption to protect all data stored on our service. In the unlikely event of an unauthorized access, the only thing compromised would be unreadable data. Your data is never placed at risk. It is always protected.

Customer: So you select the encryption algorithm, implement it, and handle key generation and management? Suppose one of those elements is mishandled and our data is breached in unencrypted form? What is your liability?

Vendor: While we certainly stand behind our industry-leading security measures, we don’t assume any heightened liability for failure of those measures. The good news is that our encryption is rock-solid.

Customer: But suppose you are negligent in your choice of encryption methodology and its deployment?

Vendor: That won’t happen. Trust us.

Bottom line: the customer has nothing but the vendor’s best intentions to rely on. If the vendor uses an outdated encryption methodology, fails to implement it properly, or mishandles key generation, they offer no real liability. As a result, the vendor’s offer of industry-leading encryption is, at best, “sales talk.” Businesses cannot rely on it.

What then are businesses to do? The answer is to handle encryption themselves. This allows the business to have greater confidence in the protection of its data. While this cannot be done in every instance for every service, it can be done for many.

There are three approaches:

1. Encrypt on the customer side using encryption means selected by the customer before transmitting data to the vendor.

The problem with this approach is that it generally only works for very rudimentary vendor services (e.g., cloud-based backup systems). It cannot be used for most interactive services furnished by vendors.

2. Encrypt using the growing base of middleware for popular cloud services.

This provides a broader range of services for which the customer can take control of encryption. In addition, many vendors of these middleware applications are willing to assume material liability for security flaws in their products.

3. Find a cloud service where the vendor offers the customer the ability to manage key generation on the customer side.

This is clearly the future and the most seamless means of mitigating risk. Already, several internationally recognized cloud providers are making this option available for some of their core services. I expect to see more vendors doing so in the near future. It is a competitive advantage to offer this functionality.

An issue closely related to encryption and one that is often overlooked is secure destruction of data on termination of the vendor contract. All too often, this key issue is relegated to a sentence along the following lines: “On termination of this Agreement, Vendor will delete the customer data.” Certainly, this is short on detail. If only a few words can be changed, we would recommend making clear the deletion must be “secure and irrevocable.” A better practice, however, is to expressly reference one or more of the recognized standards in the industry for destruction. For example:

On termination of this Agreement, Vendor shall ensure all Client Confidential Information has been “scrubbed” and irretrievably deleted from its systems and records using methods consistent with best industry practices (i.e., at least as protective as the DoD 5220-22-M Standard, NIST Special Publication 800-88, Guidelines for Media Sanitization, or NAID standards).

Note that in some industries there are clear preferences for one of these destruction methods over the others. Make sure to reference the appropriate standard.

While the current vendor environment clearly poses significant challenges and risks to businesses entrusting them with their data, use of encryption can, at least in many cases, materially mitigate that risk. The devil, however, is in the details. If the vendor controls the process and refuses any real liability for any flaws in that process, then the customer will have little additional protection. If, on the other hand, the customer can have a hand in controlling that process, far greater protection can be achieved.

]]>https://www.techtransactionstoday.com/2019/02/18/can-owning-your-companys-encryption-lead-to-better-security/feed/0The End of Security as We Know Ithttps://www.techtransactionstoday.com/2018/12/11/the-end-of-security-as-we-know-it/
https://www.techtransactionstoday.com/2018/12/11/the-end-of-security-as-we-know-it/#respondTue, 11 Dec 2018 16:59:09 +0000https://www.techtransactionstoday.com/?p=2389
If you listen very carefully, the age of information security as we know it ended recently, not with a bang, but with a whimper. While that may be something of an overstatement, a recent event put us on the track to that very end. Consider the “old-way”: Your company decides to engage a vendor to...… Continue reading this entry]]>

If you listen very carefully, the age of information security as we know it ended recently, not with a bang, but with a whimper. While that may be something of an overstatement, a recent event put us on the track to that very end.

Consider the “old-way”: Your company decides to engage a vendor to provide services or products in which the vendor will have possession of, hosting of, access to, or other use of your sensitive data or interaction with your production systems. In those cases, a prudent company would do three things to address information security. First, they would conduct due diligence of the vendor’s security practices, including past security incidents, compliance with recognized security standards, security policy review, etc. Second, they would include specific, strong protections in their contract with the vendor addressing the vendor’s obligations with regard to security, including service level obligations to ensure the availability of critical data. Finally, a prudent company would conduct post-contract execution audits and inspections to ensure the security requirements in the agreement are being followed.

These three approaches to mitigating security risks in vendor agreements form an integrated whole and reflect best industry practices: diligence, contract requirements, and post-contract policing.

These three approaches to mitigating risk form the cornerstone for businesses to show they have been diligent and acted reasonably in addressing security risks in vendor contracts.

These three approaches to mitigating risk are the primary means by which a business can respond to and defend itself against a regulatory investigation in the event of a security breach.

Now, imagine the new emerging paradigm – a paradigm in which you are not able to implement any of the foregoing approaches to mitigating risk. You cannot conduct diligence, you have no means of achieving required contractual protections, and you are denied post-contract policing. Consider, further, that these are not small engagements, but engagements involving hundreds of thousands, if not millions of dollars in fees.

Let me be more specific about the disturbing trend I am describing. In particular, consider the case of one well known cloud provider. Let’s call them “ABC”. Their new approach to contracting involves the following: ABC reserves the right, without customer approval or notice, to subcontract performance to any number of third-party hosts or other providers to perform some or all of the key data hosting, security, and other operations comprising ABC’s services. Let’s call the third-party hosts and other providers, the “Subcontractors.” ABC can change the Subcontractors at will. Now if we were still operating under the “old way,” ABC would readily agree, at minimum, that it is responsible for the actions of its Subcontractors and any failure by a Subcontractor would constitute a failure by ABC.

But this isn’t the old way. Instead, ABC takes the unprecedented approach of stating that, in fact, it assumes no liability or responsibility for the Subcontractors it has chosen. Moreover, it states to the extent there are any protections at all, it refers the customer to the online form agreements available from the Subcontractors. The flaw in this approach is that ABC’s customer is not a party to those online agreements. So, while those agreements may be interesting, the customer has no means of enforcing them against the Subcontractors. Only ABC has that right. Only ABC is actually in contract with the Subcontractors.

What Is the End Result of the Foregoing?

First, ABC’s customer has very limited ability to conduct diligence of ABC’s Subcontractors. The customer is limited to perusing generic online information made available generally by the Subcontractors to those visiting their web sites. Even if the customer could conduct meaningful diligence, it would be of little real use because ABC can change the Subcontractors at-will and the Subcontractors can change all or any part of the online information at any time.

Second, if the Subcontractor fails to perform (e.g., it is a host and the service for which the customer is paying ABC fees is never available for access due to SLA failures at the Subcontractor) or suffers a major data breach, ABC assumes no responsibility and ABC’s customer has no remedy. In both cases, the customer is left without the ability to hold either ABC or the Subcontractor accountable for the failure. Worse yet, the customer will likely have no means of declaring a breach of its agreement with ABC and unable to terminate the agreement. The customer is left continuing to pay for a service that is, at best, non-conforming or, at worst, creating liability due to a data breach or other mishandling of information.

Finally, because the customer has no contractual rights against the Subcontractors, it has no audit or other rights to ensure the Subcontractor is adequately protecting its information and systems. Even if it had those rights, it has no means of forcing the Subcontractor to correct any identified non-conformances or deficiencies.

To review:

The customer has little or no ability to conduct meaningful diligence of the Subcontractors;

The customer has no contract with the subcontractor, so it cannot enforce its rights against the Subcontractor;

ABC is refusing any responsibility for its choice of Subcontractors;

ABC can change the Subcontractors at will;

ABC can use this approach to outsource the entirety of its operations and avoid any material responsibility for its services;

Even if ABC retains certain performance obligations, in the event of a failure or breach, ABC is likely to point a finger at the Subcontractor and vice versa as the source of the issue; and

The customer has no means of conducting post-contract assessments and audits of the Subcontractors.

The result: the end of information security as we know it.

What is truly remarkable is that ABC insists its approach is entirely reasonable and entirely consistent with industry practice. Thankfully, they are incorrect. The overwhelming majority of vendors continue the “old way,” rightfully assuming responsibility for the subcontractors they select. Let’s hope that continues.

In the meantime, beware of vendors who attempt to abdicate their responsibility to unnamed third-party contractors. Proceeding with an engagement of that kind means you are, at best, assuming an unqualified obligation to pay for a service that need never be provided and, at worst, a compliance nightmare. Consider having to explain to a regulator or plaintiff in a class action that you entrusted highly sensitive data to a vendor only to have that vendor hand off the data to a third party for whom the vendor assumed no real responsibility and with whom you have no contract. That will be a difficult conversation.

]]>https://www.techtransactionstoday.com/2018/12/11/the-end-of-security-as-we-know-it/feed/0Strategies for Protecting Against Vendor Payment Fraudhttps://www.techtransactionstoday.com/2018/10/15/strategies-for-protecting-against-vendor-payment-fraud/
https://www.techtransactionstoday.com/2018/10/15/strategies-for-protecting-against-vendor-payment-fraud/#respondMon, 15 Oct 2018 08:00:36 +0000https://www.techtransactionstoday.com/?p=2384
Cybercrime is an ever-increasing threat from which manufacturers are not immune. Although reliable statistics are not available, one particular type of scheme that seems to be on the rise is vendor payment fraud. In cases of vendor payment fraud, the fraudster poses as an existing supplier and provides the manufacturer with seemingly legitimate instructions changing...… Continue reading this entry]]>

Cybercrime is an ever-increasing threat from which manufacturers are not immune. Although reliable statistics are not available, one particular type of scheme that seems to be on the rise is vendor payment fraud. In cases of vendor payment fraud, the fraudster poses as an existing supplier and provides the manufacturer with seemingly legitimate instructions changing the account payment information. The exact means by which vendor payment fraud schemes are perpetrated can take many forms. However, the most sophisticated and hardest to detect schemes often involve “hacking” into the vendor’s systems and sending a seemingly legitimate email or other instruction directing the change.

Unless properly protected against, vendor payment fraud leaves the manufacturer facing an angry supplier that has not received payment, despite the fact that the manufacturer is out of pocket for money still claimed by the supplier. Manufacturers often must face the difficult choice of making double payments or risking supply disruptions.

It is impossible to eliminate all risks posed by cybercrime. However, there are certain simple steps that manufacturers can take to mitigate the risk posed by vendor payment fraud schemes:

Train and Advise Employees Regarding the Risk

The first line of defense for avoiding vendor payment fraud (and many other kinds of fraud) is a vigilant, well-trained, work force. Most individuals are wary of unsolicited emails concerning their own personal finances. That same level of caution is not always present when dealing with work-related matters. Employees should be made aware of potential fraudulent schemes and should employ a healthy level of skepticism regarding any suspicious or unexpected emails seeking to change existing payment instructions.

Verify Changes to Payment Instructions

Many payment fraud schemes can be avoided by a policy requiring that any change in payment instructions received electronically be verified through a phone call to the appropriate supplier contact person, or other form of manual verification. In cases in which manual verification for all changes may not be practical, requiring verification for suppliers over a designated annual spend still can go a long way toward risk mitigation.

Include Appropriate Contractual Protections

Manufacturers should seek to include provisions in their contracts addressing cybersecurity issues. At a minimum, manufacturers should require that all suppliers and vendors employ appropriate measures to protect their systems from unauthorized access. In particular, manufacturers should include provisions in their contracts to expressly provide that suppliers are responsible for the integrity of their own systems and bear the risk of any lost or misdirected payment resulting from a breach.

Employ Appropriate Security for Internal Systems

Finally, manufacturers should ensure that their own systems are properly protected. Employing such protections is a sound business practice for many reasons. In the context of a vendor payment fraud issue, it will be difficult for a manufacturer to argue that a vendor should have employed better security, and therefore should be responsible for a loss, if the manufacturer does not employ the same or equivalent protective measures for its own systems.

The risks posed by vendor payment fraud and other forms of cybercrime are not going away any time soon, and are likely to increase. Manufacturers should take steps to mitigate the risks posed by these issues before they become a victim.

]]>https://www.techtransactionstoday.com/2018/10/15/strategies-for-protecting-against-vendor-payment-fraud/feed/0Court Rules Drivers Lack Standing to Pursue Claims Against Uber Because Data Breach Did Not Include Drivers’ Social Security Numbershttps://www.techtransactionstoday.com/2018/08/01/court-rules-drivers-lack-standing-to-pursue-claims-against-uber-because-data-breach-did-not-include-drivers-social-security-numbers/
https://www.techtransactionstoday.com/2018/08/01/court-rules-drivers-lack-standing-to-pursue-claims-against-uber-because-data-breach-did-not-include-drivers-social-security-numbers/#respondWed, 01 Aug 2018 08:00:16 +0000https://www.techtransactionstoday.com/?p=2366
California companies housing their drivers’ personal information may feel less exposed to liability in light of the Northern District of California’s holding in Antman v. Uber Technologies, Inc. in May.[1] The trial court in Antman found that Uber was not liable to its drivers after hackers illicitly accessed their personal information through Uber’s computer system.[2]...… Continue reading this entry]]>

California companies housing their drivers’ personal information may feel less exposed to liability in light of the Northern District of California’s holding in Antman v. Uber Technologies, Inc. in May.[1] The trial court in Antman found that Uber was not liable to its drivers after hackers illicitly accessed their personal information through Uber’s computer system.[2]

Plaintiffs Sasha Antman and Gustave Link alleged that the company failed to protect their personal information, as well as that of a putative class of individuals similarly situated. Plaintiffs stated claims for violation of California’s Unfair Competition Law (UCL), negligence, and breach of implied contract.[3][4]

According to the allegations, Uber drivers’ personal information (including names, driver’s license numbers, and bank information) was compromised in two separate incidents in May 2014 and October 2016.[5] Notably, there was no allegation that the Social Security numbers of the putative class were compromised. The putative class alleged injuries including the time and expense related to monitoring their financial accounts for fraud, an increased risk of fraud and identity theft, and invasion of privacy.[6] Antman individually alleged that an unknown person had used his personal information to apply for a credit card in or around June 2014.[7]

The court rejected the suggestion that Uber’s failure to protect plaintiffs’ personal information was an injury per se sufficient to confer standing.[8] Judge Beeler dismissed plaintiffs’ case on two grounds: (1) failure to establish Article III standing; and (2) failure to show injury and causation sufficient to defeat Uber’s Rule 12(b)(6) motion to dismiss.[9] The court determined that plaintiffs lacked standing because they had not adequately established injury.[10] In doing so, the court distinguished the action from another case in which the plaintiffs’ Social Security numbers were compromised.[11] Without Social Security numbers, the court reasoned, the “disclosed information does not plausibly amount to a credible threat of identity theft that risks real, immediate injury.”[12]

The trial court further held that plaintiffs failed to establish causation. The court reiterated that Article III requires the injury be “trace[able] to the challenged action of the defendant” and not the “result [of] the independent action of some third party …”[13] Because a person could not plausibly apply for a credit card without a Social Security number—which plaintiffs did not allege was accessed in the breach—there was nothing to suggest that Uber caused Antman’s injuries.[14]

The court also took care to rebut plaintiffs’ claim that Uber’s “pattern of dishonesty means that it cannot be trusted.”[15] Rather, allegations regarding other lawsuits, and what they reveal about the company and its business practices, “do not affect the court’s inquiry.”[16] Because plaintiffs failed to show personal injury or plausible risk of immediate harm, they failed to establish Article III standing.

Having dismissed two earlier versions of the complaint, the court dismissed the latest version without leave to amend, closing the door on any subsequent attempts by the plaintiffs to allege adequate proof of injury and causation.[17] Plaintiffs filed a notice of appeal on June 8, 2018, to the Ninth Circuit Court of Appeals, which issued an order on July 19 releasing the case from the court’s mediation program.[18]

[10]Id. at *9. The Court had earlier dismissed plaintiffs’ First and Second Amended Complaints for lack of standing. Id. at *1; see also Antman v. Uber Techs., Inc., No. 3:15-cv-01175-LB, 2015 WL 6123054, at *9-12.

]]>https://www.techtransactionstoday.com/2018/08/01/court-rules-drivers-lack-standing-to-pursue-claims-against-uber-because-data-breach-did-not-include-drivers-social-security-numbers/feed/0Integrating Information Security Into the Technology Development Processhttps://www.techtransactionstoday.com/2018/07/23/2360/
https://www.techtransactionstoday.com/2018/07/23/2360/#respondMon, 23 Jul 2018 08:00:49 +0000https://www.techtransactionstoday.com/?p=2360
In a recent blog post, I discussed limitation of liability clauses in technology contracts. Given the favorable response to that post, I thought it would be of interest to discuss another misunderstood and frequently neglected area of technology contracting: information security warranties. Let me be more specific. Most well-drafted technology agreements contain specific warranties and...… Continue reading this entry]]>

In a recent blog post, I discussed limitation of liability clauses in technology contracts. Given the favorable response to that post, I thought it would be of interest to discuss another misunderstood and frequently neglected area of technology contracting: information security warranties. Let me be more specific. Most well-drafted technology agreements contain specific warranties and other protections relating to the protection and security of data shared with the vendor. While clearly important, contract protections should not stop there. Rather, it is becoming a contracting best practice in the industry to also include one or more warranties specifically directed at ensuring the vendor has integrated information security into the overall development of its products. It is this area that is frequently overlooked and too often misunderstood.

These types of warranties try to address the problem of thoroughness in addressing information security whether the vendor is attempting to “bolt-on” security measures to an already developed product or has developed the product with information security in mind from the time of inception. In addition, these types of warranties are directed at ensuring the vendor hasn’t incorporated orphaned code into its products.

Those of you who read this blog regularly will recall I previously provided a checklist of information security warranties, including the kind of warranties we are discussing today. Here, however, we will talk about the specifics of those warranties in detail.

Securing Development Warranties

In the current technology environment, it is critical to ensure that vendors commit to a development environment for their products that represents best practices for assessing and testing security. The linchpin of this protection turns on conducting an appropriate code review. To that end, the warranty generally requires the vendor to use a third-party nationally recognized auditor specializing in code reviews to conduct the security assessments or allows the vendor to conduct its own security assessments, provided that the personnel performing the review are experienced in conducting reviews of this kind, hold an industry-recognized certification in security assessments for software (e.g., Certified Secure Software Lifecycle Professional [CSSLP] or GIAC Secure Software Programmer certification), follow industry standard best practices, and promptly share the results for the customer’s review and approval.

Consider one potential way this might be written as a contract warranty:

Secure Development. With regard to any Product, Vendor warrants it will use industry best practices for secure coding (e.g., the CERT Secure Coding Standards, ISO 27034, etc.), including integrating security measures into the development process, conducting comprehensive security testing of al software and other coding, and using automated code vulnerability assessment tools. Testing should include, where appropriate, but not be limited to, cross-site scripting, parameter tampering, hidden field manipulation, backdoors and debug options, stealth commanding, application buffer overflow, cookie poisoning, third-party misconfigurations, HTTP attacks, SQL injection, and other known vulnerabilities. Vendor will document all identified vulnerabilities and their remediation. Vendor shall make such documentation available to the Customer in the form of a written report.

Known Vulnerability Warranties

Closely associated with the secure development warranty, described above, is a warranty that the vendor has complied with specified standards and testing procedures designed to assess the overall security/vulnerability of its products. At its most basic level, this is an obligation to check the product against the most common security vulnerabilities by recognized organizations in the security industry (e.g., OWASP Top 10 vulnerabilities; CWE/SANS Top 25 vulnerabilities). This can be accomplished by testing the product on a routine basis for any vulnerability or exposure identified in MITRE’s Common Vulnerabilities and Exposures (CVE), located at http://cve.mitre.org, and by having a Common Vulnerability Scoring System (CVSS) score of, say, 4 or higher. Vulnerabilities are labeled “Low” severity if they have a CVSS base score of 0.0-3.9. Vulnerabilities are labeled “Medium” severity if they have a base CVSS score of 4.0-6.9. Vulnerabilities are labeled “High” severity if they have a CVSS base score of 7.0-10.0. Depending on the engagement, the customer can select how much risk it is willing to take by setting the acceptable vulnerability score.

Here is an example of a warranty drafted to address known vulnerability testing:

Known Vulnerability Testing. In addition to all other security obligations under this Agreement, Vendor represents that it shall test all Products, including all embedded third-party software, in accordance with best industry practices, but in no event on less than a quarterly basis, for any vulnerability or exposure identified in MITRE’s Common Vulnerabilities and Exposures (CVE), located at http://cve.mitre.org, and having a Common Vulnerability Scoring System (CVSS) score of 6 or higher (as published by the NIST National Vulnerability Database, located at http://nvd.nist.gov). In the event such a vulnerability with a CVSS score is identified, Vendor will, at no additional charge to Customer, promptly remediate the vulnerability. Vendor shall keep complete and accurate records of its testing and remediation activities under this Section.

Orphaned/abandoned code warranties

As noted above, the other key area for security warranties is protection from orphaned or abandoned code. In particular, the use of open-source software in commercial products is now widespread. Many commercial products include dozens of such applications. Security researchers have found that orphaned code (i.e., code that is no longer actively supported or under development) can pose a serious security threat. In some instances, vendors are using code that has not been updated in years. To address this area of vulnerability, vendors should be required to warrant that no such outdated, abandoned, or orphaned code is present in their products.

A potential warranty for this type of orphaned software is as follows:

No Orphan Code/End-of-Life Products. Vendor represents and warrants that (i) no programming furnished to Customer will contain any orphaned code, as defined below, and that (ii) no hardware or software products, including operating systems and embedded software, or any component thereof, contain any hardware or software designated prior to the Effective Date as End-of-Life (i.e., no longer supported and updated by the manufacturer or licensor). For purposes of this Section, orphaned code means software that (a) has had more than one year since its last release or update; (b) does not have an identified individual responsible for supporting and maintaining the code; or (c) the identified individual’s contact information is no longer valid.

Of course, the foregoing potential warranties are merely possibilities. Specific engagements may require greater or lesser levels of protection. What these examples do provide, however, is insight into how common security standards may be incorporated into contract language to ensure vendors furnish products with appropriate information security protections.

]]>https://www.techtransactionstoday.com/2018/07/23/2360/feed/0California Moves Towards GDPR-like Privacy Protections in the California Consumer Privacy Act of 2018https://www.techtransactionstoday.com/2018/07/03/california-moves-towards-gdpr-like-privacy-protections-in-the-california-consumer-privacy-act-of-2018/
https://www.techtransactionstoday.com/2018/07/03/california-moves-towards-gdpr-like-privacy-protections-in-the-california-consumer-privacy-act-of-2018/#respondTue, 03 Jul 2018 08:00:35 +0000https://www.techtransactionstoday.com/?p=2343
CCPA At-A-Glance The new law gives consumers broad rights to access and control of their personal information and imposes technical, notice, and financial obligations on affected businesses. CCPA was enacted to protect the privacy of California consumers and has some similar characteristics to the EU’s General Data Protection Regulation (GDPR), including a new and very...… Continue reading this entry]]>

CCPA At-A-Glance

The new law gives consumers broad rights to access and control of their personal information and imposes technical, notice, and financial obligations on affected businesses.

CCPA was enacted to protect the privacy of California consumers and has some similar characteristics to the EU’s General Data Protection Regulation (GDPR), including a new and very broad definition of what is included in protected personal information. Affected businesses are for-profit entities doing business in California that meet certain revenue or data collection volume requirements.

CCPA is effective January 1, 2020, and will apply to personal information collected before and after the effective date.

Businesses will need to modify operations, policies and procedures to comply with California residents’ rights to information about and control of their personal information.

Given the requirement for the California Attorney General to develop implementing regulations, and the strong and open opposition to the CCPA by technology companies, the final compliance requirements will likely evolve considerably between now and January 1, 2020.

On June 28, 2018, California passed AB 375, the California Consumer Privacy Act of 2018 (CCPA), which will become effective January 1, 2020. Introduced just a week earlier in an effort to defeat a much stricter privacy-focused ballot initiative, the CCPA is a sweeping new privacy law that was passed unanimously by the legislature with just minutes left to withdraw the ballot initiative from the November ballot. The CCPA provides California consumers with significantly expanded rights as to the collection and use of their personal information by businesses.

Applicability to Businesses

New Data Types Included as Personal Information

The CCPA broadly defines personal information to cover types of information not traditionally considered personal information in the United States, including:

IP addresses

email addresses

records of purchasing or consuming histories or tendencies

browsing history and search history

geolocation data

audio, visual, or thermal information

professional or employment information

education information

The CCPA uses a much broader definition of personal information than is generally used in privacy statutes in the United States, including the definition in California’s own data breach notification statute. Personal information under the CCPA includes “information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” With this broad definition, the types of information protected under the CCPA are much closer to those found in the European Union’s General Data Protection Regulation (GDPR).

The law applies to for-profit entities that do business in California and have a role in determining the means and purposes of the processing of personal information and which either: (a) have annual gross revenues in excess of $25,000,000; (b) annually process the personal information of 50,000 or more California residents, households, or devices; or (c) derive at least half of their gross revenue from the sale of personal information. Thus, the CCPA’s applicability is based on the corporate structure, total revenue and source of revenue, and the amount of personal information processed by a business – regardless of its actual location. The CCPA does not define “households,” and the definition of “devices” is not limited to devices owned by California residents. Accordingly, the law may impact businesses with only loose ties to California.

Despite the apparent broad applicability of the CCPA, it specifically excludes personal information covered by other federal and state laws, such as: health information protected by California’s Confidentiality of Medical Information Act (CMIA) or HIPAA; the sale of information from or to a consumer reporting agency, if the information is used as part of a consumer report and in compliance with the Fair Credit Reporting Act (FCRA); and only to the extent the CCPA is in conflict, information that is collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA) or the Driver’s Privacy Protection Act (DPPA).

Requirements of the CCPA

As currently enacted, the law dramatically increases consumers’ rights of access to and control over how their personal information is collected, used, sold, and disclosed. Assuming the law is not revised, the CCPA would provide consumers with the following:

Right to Personal Information Collected by Businesses – Consumers will have the right (subject to identity verification) to obtain a record of the personal information that a business collects about them, as well as information about the sources of, and the business or commercial purposes of, that personal information.

Right to Erase Personal Information – Consumers can require (subject to identity verification and limited exceptions) a business and its service providers to delete any personal information the business has about the consumer once the information is no longer needed.

Right of Opt-Out – Consumers will have the right to opt-out of any future sale of their personal information through at least a “Do Not Sell My Personal Information” link on a business’ home page.

Opt-In Requirement for Minors – Businesses are prohibited from selling the personal information of consumers whom the businesses have actual knowledge are under 16 years old and for whom they do not have appropriate opt-in consent.

Prohibits Waiver and Retaliation by Businesses – Waivers of consumer rights and remedies under the CCPA are unenforceable and businesses cannot discriminate against consumers for exercising their rights under the CCPA, such as by denying goods or services to the consumer or by charging or suggesting different prices or rates for goods and services.

Increased Transparency – Businesses will need to be substantially more transparent about their collection and use of personal information and must provide consumers with notice (in their privacy policies) of their new rights under the CCPA.

Enforcement

Prior to the law taking effect, the CCPA requires the Attorney General to adopt implementing regulations, including the establishment of exceptions, procedures, rules, and other regulations necessary to establish compliance with the CCPA’s purposes. Technology companies have strongly opposed the CCPA and may be expected to take action to affect the implementing regulations. Compliance requirements are expected to evolve between now and the effective date, warranting continued monitoring.

The Attorney General will enforce compliance with the CCPA. Businesses that fail to cure alleged violations within 30 days will be subject to a penalty of up to $7,500 per violation.

The CCPA also provides a private right of action for consumers whose unencrypted and unredacted personal information (as more narrowly defined under California’s data breach notification law) was subject to theft or other unauthorized disclosure as a result of a business’ failure to reasonably protect the consumers’ personal information as required under California’s data breach notification law. Subject to certain procedural requirements, each such incident will allow consumers to recover the greater of actual damages or up to $750 per incident per consumer. As with other privacy statutes, claimed violations of the CCPA could be the basis to assert class actions.

Similarities to GDPR

California’s passage of the CCPA is part of a growing trend towards increased data protection for consumers. The CCPA comes on the heels of the May 25, 2018, effective date of the GDPR, which provides expansive privacy and personal data protection rights for individuals in the European Union. While the GDPR is broader in many aspects than the CCPA, there are significant overlaps in consumer rights and business obligations. For example, both the CCPA and the GDPR provide consumers with the right to be forgotten and, the right to access their personal information, as well as require that businesses be transparent in their processing of personal information. However, the GDPR requires consumer’s to opt-in to some uses of their personal information while the CCPA maintains the opt-out approach generally used in the United States. The CCPA also lacks the relatively proscriptive requirements for security and vendor agreements found in the GDPR.

Nonetheless, there are significant similarities and overlaps between the GDPR and the CCPA. These similarities may make compliance with the CCPA easier for businesses that have already taken measures to comply with the GDPR. Businesses subject to the GDPR should review their handling of personal information to determine whether it satisfies the requirements of the CCPA. Organizations that have already taken steps to fully comply with GDPR only for individuals in the European Union may have to extend many of the protections to California consumers. Organizations that were not fully compliant with the requirements of the GDPR may wish to review and prioritize their schedule to ensure compliance with the requirements of the CCPA before January 1, 2020. Organizations that may not have been previously subject to the GDPR should evaluate if they will now be subject to the CCPA and should start planning their compliance well ahead of its effective date.

Impact on Businesses

Although the CCPA will not go into effect until 2020, it will take time for impacted businesses to comply with all of its provisions. Businesses subject to the CCPA should consider the following actions in preparation for the CCPA’s implementation:

Conduct a data mapping of the personal information collected by the business to understand the scope of personal information collected and how it is used and shared with third parties.

Review internal policies and procedures to be able to appropriately respond to consumer requests for access to, deletion from, or information related to the sale or disclosure of their personal information.

Closely monitor guidance from the California Attorney General regarding appropriate verification measures for consumer requests. The CCPA describes that a business must associate information provided by a consumer with information it has collected, sold, or disclosed about a consumer to verify his or her identity, but instructs the California Attorney General to solicit public comments in order to promulgate further regulations in this area.

Begin the planning and implementation of technological improvements to their information systems that may be necessary to process consumer requests and their rights to opt-out of the sale of personal information.

Review and update privacy policies to comply with the disclosure requirements of the CCPA when it becomes necessary to do so.

Begin preparing training materials and planning for training all personnel who are responsible for handling consumer personal information inquiries.

Update contracts with third parties and service providers to whom consumer personal information is conveyed to ensure that the vendor can appropriately respond to consumer requests to delete information. Consider using third party audits to ensure compliance with the CCPA and conducting those audits through legal counsel to support the position that the results are covered by the attorney-client privilege.

Looking Forward

While the CCPA was largely applauded in a news conference held immediately following its signature by Gov. Jerry Brown, it has also met with some criticism. Nicole Ozer, technology and civil liberties director of the ACLU, decried that the CCPA was hastily drafted and that it utterly failed to provide the privacy protections that consumers demand and deserve. She further commented that the law will need to be revised to include effective privacy protections against rampant misuse of personal information, stronger provisions for Californians to enforce their rights, and protections against retaliation by businesses against California consumers who exercise their rights. On the other hand, some California businesses considered the CCPA too restrictive, but did not try to oppose it because the competing ballot initiative would, if passed, have imposed significantly more restrictions on the use of personal information and been more difficult to change in the future than the CCPA as enacted by legislators. As a result, the CCPA is likely to undergo revisions before it becomes effective on January 1, 2020. The law is also subject to public participation in implementing regulations required to be adopted by the Attorney General, including potentially additional categories of personal information and specific requirements for handling consumers’ opt-out rights. Foley attorneys will continue to monitor the CCPA and any amendments and implementing regulations.

For questions or additional information on this topic, please contact any of the following legal news authors or additional partners within Foley’s Cybersecurity team:

Additional Cybersecurity Team Partners

]]>https://www.techtransactionstoday.com/2018/07/03/california-moves-towards-gdpr-like-privacy-protections-in-the-california-consumer-privacy-act-of-2018/feed/0Cryptocurrency Industry Insiders Eager for Regulatory Clarity, Foley Survey Findshttps://www.techtransactionstoday.com/2018/06/28/cryptocurrency-industry-insiders-eager-for-regulatory-clarity-foley-survey-finds/
https://www.techtransactionstoday.com/2018/06/28/cryptocurrency-industry-insiders-eager-for-regulatory-clarity-foley-survey-finds/#respondThu, 28 Jun 2018 08:00:44 +0000https://www.techtransactionstoday.com/?p=2328
A decade into the cryptocurrency revolution, the digital currency’s future is awash with questions from regulation and enforcement to exactly what type of asset they are to the impact of volatility in market values. Against this backdrop, Foley & Lardner LLP surveyed a range of executives and investors to gauge their views on the use,...… Continue reading this entry]]>

A decade into the cryptocurrency revolution, the digital currency’s future is awash with questions from regulation and enforcement to exactly what type of asset they are to the impact of volatility in market values.

Against this backdrop, Foley & Lardner LLP surveyed a range of executives and investors to gauge their views on the use, risks and regulation of cryptocurrencies. One key theme to emerge was that despite strong libertarian views that permeate the cryptocurrency industry, the majority of those surveyed see the value of thoughtful regulation. Most respondents (84%) believe initial offerings of cryptocurrencies should be regulated in the United States. In addition, 68% want regulations for ongoing purchases and sales of cryptocurrencies, and 55% say it’s needed when it comes to paying for goods and services.

The survey also found respondents navigating an unclear legal environment. Nearly three-quarters (72%) say that the cryptocurrency industry does not have a well-grounded understanding of the application of existing regulation of financial markets or financial services. Their uncertainty is understandable as federal regulators have asserted their grounds for regulating aspects of cryptocurrency activities, but sent some mixed messages in the process. However, a recent speech by SEC Division of Corporation Finance Director William Hinman provided valuable insight into factors that could persuade the SEC that a particular token offering is, or is not, a securities offering.

Additional key findings that emerged from Foley’s research include:

Respondents favor self-policing, with 86% saying the cryptocurrency industry should develop common voluntary standards. Additionally, 89% say the industry should explore implementation of standards through formalized self-regulation, with most believing that any model of self-regulation should be subject to regulatory oversight.

More than half of respondents (58%) are willing to take on legal risk to invest in or develop cryptocurrency businesses.

A strong majority (72%) support the opportunity to invest in exchange-traded funds holding cryptocurrencies.

Respondents are watching a range of potential risks, with hacking and security breaches seen as the most pressing threats to the viability and growth of the cryptocurrency industry. The theft of cryptocurrency tokens is viewed as a strong or very strong risk by 71%, and 61% said the same of the theft or “ransom” of data.

For more information and to download the 2018 Cryptocurrency Survey report, please click here.

Patrick Daugherty, Kathryn Trkla and Allison Charney are partners at Foley & Lardner LLP and members of the firm’s Blockchain Task Force, which advises established and startup businesses on the full range of issues arising in the cryptocurrency space. Practitioners from multiple legal disciplines counsel clients on such issues as initial coin offerings and blockchain fund formation; investing in cryptocurrency; use of distributed ledger platforms for trading of cryptocurrencies and other instruments; and the proper regulatory classification of these transactions.

]]>https://www.techtransactionstoday.com/2018/06/28/cryptocurrency-industry-insiders-eager-for-regulatory-clarity-foley-survey-finds/feed/0GDPR and U.S. eDiscovery - Who Will Win the Game of Chickenhttps://www.techtransactionstoday.com/2018/06/26/gdpr-and-u-s-ediscovery-who-will-win-the-game-of-chicken/
https://www.techtransactionstoday.com/2018/06/26/gdpr-and-u-s-ediscovery-who-will-win-the-game-of-chicken/#respondTue, 26 Jun 2018 08:00:47 +0000https://www.techtransactionstoday.com/?p=2325
Well, it has now happened. The European Union’s new General Data Protection Regulation (GDPR) went into effect on May 25, 2018. In the lead up to G-Day, commentators published a voluminous amount of materials in legal journals, newsletters, and blog posts about what GDPR is, what it is supposed to accomplish, how to comply with...… Continue reading this entry]]>

Well, it has now happened. The European Union’s new General Data Protection Regulation (GDPR) went into effect on May 25, 2018. In the lead up to G-Day, commentators published a voluminous amount of materials in legal journals, newsletters, and blog posts about what GDPR is, what it is supposed to accomplish, how to comply with it, the potential penalties for not complying, and the challenges that U.S. companies are facing in trying to re-work their entire data maintenance practices to keep pace with the GDPR’s requirements. One topic, however, that has gotten scant attention is what the GDPR will mean for litigators seeking discovery from Europe. Well, here is a prediction – U.S. courts will have little patience for GDPR compliance requirements if the result is a failure to preserve electronically stored information (ESI), a substantial delay in producing requested documents and data, or an outright refusal to produce the materials requested.

First, let’s examine – very briefly – what GDPR is and what it requires. (For more detailed descriptions, please refer to the aforementioned materials that have been published in recent months.) Simply put, the GDPR is a mandatory regulation designed to protect an individual’s privacy by limiting how electronic information about that person may be maintained, processed, used, or transferred. The GDPR is applicable in all 28 EU member states, as well as in the slightly wider European Economic Area (EEA), which includes non-EU member states such as Iceland and Norway. Even if a company is not physically located in those countries but provides goods and services to individuals located in the EU/EEA on a regular enough basis, then the GDPR is applicable to that entity. So, yes – the GDPR applies equally to a business based in Paris, France selling over the internet to individuals in Italy, as well as a business located in Paris, Texas, offering goods or services to people located in in Ireland. Moreover – and probably most importantly in terms of ediscovery – the GDPR is applicable to employers of people located in the EU/EEA or entities that maintain electronic records of a European company’s employees.

Two things make GDPR compliance – or the failure to comply – particularly daunting. First is the regulation’s definition of “personal data” and the rights given to an individual to control the electronic data containing such personal information. More on this in a moment. . . . Second is the financial “bite” that EU regulators put into the GDPR, a bite which far exceeds any potential fines that theoretically existed under previous EU or individual country rules. Specifically, the GDPR allows for administrative fines for failure to comply with the GDPR’s data transfer provisions of up to € 20 million (about $23.5 million) or 4% of the violating company’s annual worldwide revenue, whichever is higher – and that revenue amount can be calculated across the violating company’s corporate worldwide parents, subsidiaries, and other affiliates. GDPR, Art. 83(5). Granted, fines at the highest level are reserved for the most egregious situations, but there can be no question that it was the potential threat of these hefty fines that caught the attention of companies throughout the world and led to the enormous efforts over the last year or so to develop GDPR-compliant data policies.

Turning back to the challenges raised by “personal data” under the GDPR, U.S. litigators should understand that the GDPR defines personal data as “any information relating to an identified or identifiable natural person.” GDPR, Art. 4. This definition is much, much broader than what U.S. practitioners typically recognize as sensitive personal information worthy of protection – e.g., a person’s name in conjunction with the person’s social security number, or bank account numbers, or health records. The GDPR’s reference to “any” information includes, at least, the person’s name in conjunction with the person’s email address (business or personal), a physical address or telephone number, or just about anything else that can directly or indirectly identify a specific person. For example, just think of the typical footer people often include at the end of business emails listing the person’s name, company, title, business address, business telephone number, a mobile telephone number, and the person’s email address. Under the GDPR, all of that information constitutes “personal data.” Likewise, the GDPR definition is broad enough to capture an individual’s IP address, which can be found in data logs or other electronic records – information that well could be caught up in ESI discovery requests.

As to an individual’s rights over his/her personal data, the European Commission (EC) explained, in an amicus brief filed to the U.S. Supreme Court last December, that the EC regards “protection of personal data [as] a fundamental right” and that the GDPR is a reflection of the EU’s interest to protect such a right(s).1 The GDPR requires, under certain circumstances, that individuals whose data are being “processed” – e.g., collected, stored or transferred – be provided with explicit and easily understood notice. The GDPR also grants to affected individuals the right to demand to examine that personal data, to correct the data, to erase the data, to object to the collection, use or transfer of the data, and/or the ultimate right to demand to be forgotten.2 There are some exceptions to these rights, including when the data are necessary for “compliance with a legal obligation” the “establishment, exercise or defence of legal claims” or “for purposes of compelling legitimate interests . . . which are not overridden by the interests or rights and freedoms of the data subject.” See, e.g., GDPR, Arts. 6(1)(c) and 49(1) and 49(1)(e). How these provisions will be interpreted remains an open question, but given many European countries’ long-standing distain for the entire concept of U.S. discovery, such language should not be regarded as a certain GDPR “get out of jail free” card. Indeed, the European Commission has already explained that an order from a foreign court to produce documents does not render that order legal under the GDPR and that absent an agreement between countries for mutual legal assistance, such an order could proceed “only if it qualified under Article 49.”3

Now, the GDPR’s personal data protections may offer comfort to individuals who do not wish for their personal information to be sold by one web business to another with the second business using that personal data to engage in a targeted advertisement campaign. Likewise, people get very agitated when – oh, for example – Facebook collects and retains personal data and winds up opening a cyber door to the Cambridge Analyticas of the world or hidden foreign government agents who collect and make use of that data for all sorts of political games and gains. But, let’s think about personal data protection when it comes to a typical – and assumedly non-nefarious – need such as an obligation to adhere to U.S. discovery rules.

As we all know, under the Federal Rules of Civil Procedure, discovery is wide-open and broad (concerns for proportionality notwithstanding), and American lawyers use those procedural mechanisms every day to demand that both opposing parties and non-parties undertake extensive efforts to preserve, collect, and/or produce ESI relevant to claims or defenses in a legal dispute. And while these requests may spark motions to a judge seeking protection because of burden and costs, for the most part, American recipients of preservation notices or document requests comply. They also may seek a protective order so that the information cannot be widely disseminated or examined by just anyone4 . . . but they comply.

Now assume that a U.S. party brings a civil suit against a company located in any of the EU/EEA member countries – let’s say France – or sues a U.S. subsidiary of a French company but seeks documents in discovery “located” at the company’s French parent’s office . . . or even serves a subpoena under Rule 45 on a U.S. subsidiary of a French company requiring the production of documents that are in the possession of the parent French company. And yes, all three of these variations are a possibility.5

Under prevailing U.S. rules, once a defendant either is sued or has reason to believe that litigation is imminent, it is obligated to preserve documents, including all ESI, that is potentially relevant to the claims or defenses raised in the litigation. Thus, a party is obligated to “suspend its routine document retention/destruction policy and put in place a ‘litigation hold’ to ensure the preservation of relevant documents.”6 Likewise, a subpoena recipient is obligated to preserve documents for a sufficiently long enough period of time to allow for collection and production of the documents consistent with the subpoena’s terms.

So, assuming that the defendant in U.S. litigation is a European entity, that company, under U.S. rules, must “immediately” take steps to preserve all documents – hard-copy and electronic – that may be relevant to the case. Such efforts almost inevitably call for the employer at that point to send a “litigation hold” notice to employees/custodians notifying them of the obligation to preserve relevant information. Upon receiving that notice, each recipient, under the terms of the GDPR, has the right to review the material swept up in the preservation effort, including historical ESI that may have been preserved or archived by the employer. Likewise, it could be argued that other people whose “personal data” is contained within the ESI of a document hold recipient has a similar right of review.

The next question is how long it will take to allow those who choose to review their data to complete the task – and possibly raise questions about why certain information is included in the sweep. Will people have a second or third chance to conduct such a review once the data are culled to specific topics and time periods – and then again, before the ESI is actually produced? What about the time it will take to resolve any objections that individuals raise about the use or transfer of the data – even if it is later determined that the objection is not valid? The possibilities for delay and conflict cannot be ignored.

The question that then arises is whether any U.S. court is going to tolerate the complexities and inevitable time delays that will arise when ESI is sought from EU/EEA member state companies – or from companies located elsewhere but which hold personal data about individuals located in those countries. If past is prologue, the answer to that question should be a resounding “no.”

There is nothing new about the tension between the U.S. discovery system and efforts by European countries to limit American lawyers from being able to obtain information in discovery.7As long ago as 1958, the U.S. Supreme Court grappled with how to reconcile an effort to obtain certain Swiss bank records when Swiss penal laws protected those same records. See Société Internationale Pour Participations Industrielles et Commerciales, S.A. v. Rogers, 357 U.S. 197, 212-13 (1958) (reversing dismissal of suit as penalty for failure to produce without first making a willfulness determination, but warning that that significant evidentiary penalties remained possible). In 1987, the Supreme Court weighed in again and stated that in reference to the French “blocking statute” which calls for criminal penalties for the production of economic, commercial, industrial, financial, or technical documents “with a view” to foreign judicial proceedings that, “It is well settled that such statutes do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.” Société Nationale Industrielle Aerospatiale v. U.S. District Court for the Southern District of Iowa, 482 U.S. 522, 544, n.29 (1987).

Since Aerospatiale, U.S. courts have remained, with very few exceptions, consistently hostile to concerns about foreign laws that conflict with U.S. discovery obligations.8 Following upon Aerospatiale’s guidance to courts to engage in an international comity analysis when confronted with conflicting foreign law, U.S. courts regularly weigh, among other things, the importance of the information to the U.S. proceeding; the foreign country’s national interest in its own law; the extent to which compliance with foreign law would undermine important U.S. interests; and whether violation of the foreign law would likely lead to a hardship upon the persons or entity producing the documents.9 However, these examinations generally have been perfunctory and almost inevitably lead to the conclusion that U.S. legal interests outweigh the interests reflected in European law. U.S. courts also almost always note that, despite the threat of criminal jeopardy or monetary fines, prosecutions are extremely rare, and the lack of enforcement by European authorities undermines any concerns about the potential hardship to befall any individual or company that complies with U.S. discovery demands.

A recent decision is illustrative of this approach. In Laydon v. Mizuho Bank, Ltd., 183 F. Supp.3d 409 (S.D.N.Y 2016), a group of European defendants sought relief from having to respond to plaintiffs’ discovery requests on the grounds that compliance would violate the then-existing 1995 EU Directive 95/46/EC, which was implemented in the United Kingdom as part of the UK’s Data Protection Act. Many of the key data protections provisions of the 1995 EU Directive are very similar to those found in the present GDPR.

In support of their motion, the foreign defendants submitted expert declarations from UK privacy and data protection experts, both of whom argued that the EU Directive and, thus, the UK law prohibited the production of documents in response to plaintiffs’ discovery. The Magistrate Judge agreed that a conflict between the countries’ law existed and, thus, embarked on a comity analysis. In short shrift, he determined that the information sought was important to plaintiffs’ case; that while the UK had an interest in enforcing the European data privacy provisions, U.S. interests in enforcing its own laws are superior; that the lack of an official UK government objection indicated that the foreign law interest was not particularly great; and that defendants could not point to a single instance in which the UK government pursued an enforcement action under the Data Privacy Act against any entity for responding to U.S. discovery requests. Id. at 423-26.

Against this entrenched background, there should be no reason to expect that U.S. courts will regard the terms of the GDPR as a game-changer – and certainly not one that should be allowed essentially to eviscerate the U.S. discovery system. The Europeans have long taken a different approach towards compelled – or involuntary – disclosure of information that relates to an individual. And what may have begun, at least in part, as a reflection of specific countries’ disdain for U.S. discovery – e.g., the French blocking statute – has evolved in more recent years to genuine concern about personal privacy in an era where electronic data is ubiquitous, instantly transferable across national boundaries, and subject to unknown uses or misuse. Nonetheless, U.S. courts continually have treated European privacy protection efforts as more of an annoyance to be quickly swatted away and dispelled. And while we may be seeing the beginnings of an awakening in the United States about how easily personal data can be collected and manipulated, there certainly is no indication that U.S. policymakers are considering substantial amendments to the discovery rules to address any such concerns. Hence, we all should assume that U.S. discovery as we know it is here to stay for the foreseeable future. Thus, the two legal systems are at loggerheads.

Only one thing may tip the balance – but that is going to require a very serious game of chicken. As noted above, one of the continuing themes repeated in U.S. decisions declining to defer to European or individual country laws is that there has been virtually no enforcement of those laws. The French blocking statute has only ever been enforced once – in 2007, against a French lawyer who lied to a potential French witness to get information for use in a California case, but that case did not actually involve pending discovery.10 Thus, U.S. courts continue to issue orders compelling the production of European documents, data, and ESI. Recall, however, that the GDPR significantly upped the fining authority ante. So, who is going to give way first? Will European companies stand firm behind the GDPR and either decline to produce data or seek substantial delays, thereby risking the wrath of U.S. judges – or will they elect to comply with U.S. discovery orders and risk the significant fines that can be imposed on them for non-compliance with the GDPR’s provisions? Are the European authorities really going to impose those fine despite having not done so in the past? If they do, are U.S. courts really going to continue to require compliance with U.S. discovery rules, essentially ignoring the hardships those fines represent?

The answers to these questions remain to be seen. All we can say for now is that U.S. judges over many years have consistently shown a steely determination to enforce U.S. discovery requirements against foreign nationals, and European authorities have taken no action in response either against the United States or their own citizens. Will that change? Game on!

————————-

1See Brief of the European Commission on Behalf of the European Union as Amicus Curiae in Support of Neither Party at 1 and 8, United States v. Microsoft Corp., No. 17-2 (S. Ct. Dec. 13, 2017) (hereinafter “EC Amicus Brief”). The Microsoft case concerned a warrant issued under the Stored Communications Act by a federal magistrate judge in New York for an individual’s electronic data/documents stored on a Microsoft server in Ireland and Microsoft’s refusal to comply on the grounds that the Stored Communications Act did not have extraterritorial reach. The Second Circuit subsequently agreed with Microsoft and overturned the district court decision. The U.S. government appealed the matter to the Supreme Court and oral argument was held in February 2018; however, due to new legislation that clarified the extraterritorial application of the Stored Communications Act, the appeal was deemed moot and dismissed.

7 This tension is not exclusive to Europe – other countries throughout the world also have legal systems and philosophies that conflict with U.S. discovery rules. However, as this article relates to the implications on ediscovery of the new GDPR, the discussion is limited to the tension with European law.

8 Exceptions do exist but are few and far between. See, e.g., Salt River Project Agricultural Improvement and Power Dist. v. Trench France, SAS, 2018 WL 1382529 (D. Ariz. Mar. 19, 2018) (recognizing potential hardship to French defendant due to French blocking statute and permitting discovery to proceed under the Hague Convention).

9See generally Restatement (Third) of the Foreign Relations Law of the United States at § 442(1)(c).

That was the underlying premise of Foley’s “Emerging Automotive Technologies: Tomorrow’s Trends Today” program, held May 22, 2018, at Foley’s Boston office.

Nearly 100 industry leaders, entrepreneurs, investors and legal advisors attended the forum to glean insights from three panels of distinguished experts on such topics as how to protect IP assets in the connected-car space, financing and raising capital, and prospective legislative and regulatory changes affecting autonomous and connected cars.

Attendees also were treated to a keynote address by Internet pioneer and technology entrepreneur Dan Harple, who talked about using blockchain technology to make the global automotive supply chain more transparent, more secure, and more accountable.

Following are the highlights of those discussions.

Protecting Emerging Technologies Transforming Mobility

Ben Horst, co-founder and president of Eddy Motorworks, an Atlanta-based startup that makes custom electric cars, and Isaac Wittenstein, co-founder and CEO of TEQ Charging, another Atlanta-based startup that makes a power management system for charging electric cars, kicked off the program with a session on protecting emerging technology, particularly in the automotive space.

Foley partner John Lanza, who moderated the session, said it’s hard to talk about IP in this space without talking about legislative impact and, to a large extent, about investment in infrastructure supporting connected cars.

Wittenstein said his company is working to make electric vehicle charging stations profitable for the properties that need to be purchasing them, such as apartment complexes, condominiums, airports and work places.

He said his company’s core IP is in the algorithms it uses to distribute power between stations, depending on need and availability. Another IP issue he identified is the company’s brand, so that people know how to use its services and it can educate them about its product.

So, while the company is working on hardware – charging stations – the IP it is seeking to protect is in the software space on top of that hardware, he said.

“We think of ourselves as a software company and that’s really where the value is,” he said.

Horst said that a lot of his company’s IP is process-based. Horst likened his main business – classic car conversions – to the hot rod industry that came about after the first automobiles were sold. “Electric hot rods is kind of a way to think of what we do,” he said. His company doesn’t manufacture motors or assemble batteries. Instead, it puts refurbished parts from other cars together into an integrated vehicle.

“A lot of that is really just a trade secret kind of protection strategy,” he said. “A lot of this is figuring out how to use the components.”

While electric cars still comprise only a small percentage of the vehicles on the road, Wittenstein said that is likely to change when the cost of batteries, which are now about $200 per kilowatt hour, drop to about $100 per kilowatt hour in the next five years or so. On the infrastructure side, another big factor will be making sure people don’t have to fear where they’ll be able to recharge their vehicles.

Horst said there is also a mindset challenge that must be overcome. He cited the negative reaction he got when he took an electric race car his company had built to a racetrack in Georgia, though everyone who got into the car ended up loving it.

“There’s a lot of people who still just don’t want anything to do with [EVs],” he said.

Lanza said that begs the question: Are electric cars the future or a future?

Horst said he thinks they are the future, as long as they start looking more attractive, because nobody wants to buy an ugly car. Wittenstein also said wireless charge will be one of the key things that will enable that to happen.

“Even if the U.S. doesn’t go that route as quickly, China is far outpacing the U.S. in almost all aspects of automotive, and electric is one of the biggest ones they’re outpacing us in,” he said.

Investment Strategies in Private Equity & Venture Capital

The second panel of the day moderated by Foley partner Dave Kantaros, featured Rob Infantino, the founder and CEO of Openbay, an online marketplace that allows consumers to find, compare, book and pay for automotive repairs and services, and Anish Patel, co-founder and general partner at transportation-focused venture firm Blue Victor Capital, who discussed financing and investment strategies in the auto space.

Infantino opened the session by describing how an unpleasant personal experience with an automotive service center inspired him to start Openbay. He said he had taken his car to get a simple wheel alignment and was handed a 12-page estimate of recommended repairs totaling $4,000.

Needless to say, Infantino, who knows something about cars, having spent two years working on a stock car pit crew during college, left without having his car serviced. Then he set his mind to changing the auto repair industry, which he said has been “stuck in time for decades.”

Patel explained how he went from working for two strategic corporate venture capital firms to helping launch a traditional institutional fund. He said he had spent the majority of his career at GM, the last four years as an investment manager at GM Ventures, where he was responsible for 10 direct investments in transportation-related startups with in-vehicle applications.

He left GM in 2014 to help SAIC Capital, China’s largest automaker, open its venture capital office in Menlo Park, California. Recently, he left SAIC Capital to help start his own fund, mostly because he thought they were missing a lot of opportunities on the corporate side.

“There are a lot of great deals we see in the transportation mobility space that we weren’t allowed to participate in or invest in because our engineering teams didn’t sign off or we had some sort of internal bureaucracy that was preventing us from making these great investments,” he said.

Infantino said his experience raising capital has been mixed. He personally financed the company for the first two years, then took in angel money from local investors in Boston. He also took capital from Google Ventures and Andreessen Horowitz. Aside from those two firms, however, he said he’s had a lot of success with individual angel investors and boutique firms, but “zero” success with your typical Tier 1 VCs in Boston.

“I can’t tell you how many meetings I’ve been to where I’ve gotten no’s across the board over the last few years,” he said.

He said the reason was a combination of the audience not understanding automotive and the stage of his company. He also said Boston’s venture capital community is very conservative and very risk averse, and that a lot of his peers have gotten the same response he has. And he added that the entrepreneurial community would not exist if it wasn’t for the angel network in Boston.

Infantino said he advises his peers to stop taking meetings with Boston VCs and instead try to tap into the city’s angel network. If that doesn’t work, he said they should turn to Manhattan. And if that doesn’t work, they should go west and stay west, where they most likely will get funded.

Patel said the investment criteria he is looking for includes the team, the technology and the stage. But in the later stage, it’s mostly about the team and the CEO and how well they can execute on the plan, establish a customer base, and meet the metrics they outlined before.

When it comes to a right of first purchase provision, Patel said, it’s up to the board and the management team of the company to negotiate that out.

Infantino said he tries to stay away from non-U.S. investors because they tend to take up a lot of his time, ask for everything under the sun, and end up not investing.

Patel said he thinks there are still plenty of opportunities for capital, especially in cyber, fleet management and chipsets for embedded systems. “I think there’s still great startups at really good valuations that are still going to be needed in automotive, as well as in the autonomous space, that are fairly priced and crucial not only to autonomous but to the automotive industry as a whole.”

He also thinks there’s still a huge need in the cybersecurity area, that we are going to see a lot more companies than the ones that are already there, that the chipset and memory piece is going to be crucial for automotive.

The final session, which covered legislative and regulatory developments related to autonomous and connected vehicles, featured Anita Kim, a technology policy analyst at the U.S. DOT Volpe Center in Cambridge, and Charlie Ticotsky, policy director at Transportation for Massachusetts (T4MA), a coalition of organizations working on transportation policy in the state.

The session began with an overview of various legislative and regulatory developments affecting autonomous and connected vehicles, including two major autonomous vehicle bills that have been introduced in Congress: the SELF DRIVE Act, which passed the House and the AV START Act, which is pending in the Senate.

The SELF DRIVE Act would take the regulation of autonomous vehicles out of the hands of the 50 states, which is one of the driving concerns of the industry, and place on NHTSA the authority to regulate the design, construction and performance of automated driving systems. It would, among other things, also require NHTSA to promulgate a rule requiring manufacturers to submit a safety assessment certification for automated vehicles and driving systems. And it would require manufacturers to develop detailed cybersecurity and data privacy plans for automated vehicles.

The AV START Act, while different, contains many of the same elements.

Foley partner Chris Grigorian, who moderated the session, noted that there have been hearings and a lot of public discussion around these legislative proposals. He also noted that NHTSA has been conducting research in anticipation of updating its voluntary autonomous vehicle guidelines and initiating future rulemakings in this area.

Grigorian said there has been some hesitation to pursuing the legislation further among some Democrats in the Senate, which has only been exacerbated by the recent fatal accidents involving autonomous vehicles. Those concerns were evident in the recent nomination hearing for a new NHTSA administrator, who was peppered with questions about what the agency is doing to ensure the safety of autonomous vehicles.

NHTSA has also been very active developing voluntary guidelines for the manufacturers or autonomous vehicles, last year issuing its second version of the guidelines, which Grigorian described as “sort of a 12-step program” for autonomous vehicles. NHTSA is now in the process of updating those guidelines.

At the state level, California, which has been on the leading edge of regulating autonomous vehicles, has recently adopted a new regulation that allows testing and use of fully driverless vehicles on public roads, subject to a number of requirements involving safety, communications, training and certification.

Ticotsky talked about a report his agency put out 1 ½ years ago, called “Fast Forward,” which makes a number of policy recommendations around autonomous vehicles, including encouraging innovation, sharing data, planning for future infrastructure needs, and improving and expanding public transportation walking and biking network.

He also discussed a short, animated video by Zipcar co-founder and former CEO Robin Chase that lays out the “heaven and hell” scenarios that autonomous vehicles could usher in. He shares her optimism that AVs will prove to be a net positive, but only if they are shared and are electric.

Keynote

Dan Harple, the founder and CEO of Context Labs, a leader in delivering at-scale enterprise blockchain-enabled systems and in advising global market segments and countries on the development of highly efficient ecosystems and interoperable standards, closed the program with a keynote speech he titled, “The Digital Transformation of Mobility Convergence of the Digital Thread.”

Harple talked first about the idea that the world is an interconnected ecosystem, then discussed some of the challenges, opportunities and risks that presents, and ended with an overview of a new global initiative he and Context Labs co-founded called the Mobility Open Blockchain Initiative (MOBI).

MOBI is a consortium of automakers, startups, technology companies and others that account for over 70 percent of global vehicle production, including Ford, General Motors, and BMW. Using blockchain technology, which allows information to be stored on a decentralized database that no one owns but everyone can access, MOBI seeks to foster an ecosystem where businesses and consumers have security and sovereignty over their driving data, manage ride-share and car-share transactions, and store vehicle identity and usage information.

Overall, the three sessions and keynote revealed great optimism and opportunities within an evolving industry that revolves around cars for transportation and that new technology will continue to be at the forefront of change in the automotive industry.”

For more information on Foley’s Emerging Automotive Technologies Program and the topics covered in this article, please contact:

]]>https://www.techtransactionstoday.com/2018/06/21/protecting-ip-finding-investors-navigating-legislation-drive-discussion-at-foleys-emerging-automotive-technologies-program/feed/0Highlights from the Foley & Lardner LLP/BNY Mellon Wealth Management Tech X 2018 Conferencehttps://www.techtransactionstoday.com/2018/06/11/highlights-from-the-foley-lardner-llp-bny-mellon-wealth-management-tech-x-2018-conference/
https://www.techtransactionstoday.com/2018/06/11/highlights-from-the-foley-lardner-llp-bny-mellon-wealth-management-tech-x-2018-conference/#respondMon, 11 Jun 2018 08:00:17 +0000https://www.techtransactionstoday.com/?p=2313
What lessons can be learned from serial and successful entrepreneurs? How does one build a great team? What challenges and opportunities do today’s business owners and entrepreneurs face? How secure is your internet-connected technology from cyberattack? Those were just some of the topics covered at the Foley & Lardner LLP/BNY Mellon Wealth Management Tech X...… Continue reading this entry]]>

What lessons can be learned from serial and successful entrepreneurs? How does one build a great team? What challenges and opportunities do today’s business owners and entrepreneurs face? How secure is your internet-connected technology from cyberattack?

Those were just some of the topics covered at the Foley & Lardner LLP/BNY Mellon Wealth Management Tech X 2018 conference, a half-day event in Chicago on May 17, that brought together nearly two dozen leading experts and entrepreneurs for a wide-ranging discussion of some of the biggest issues and challenges confronting new and growing companies today. Foley’s Chris Cain, a partner in Foley’s Transactions Practice and Technology Transactions & Outsourcing Practice, and Lisa Conmy, a partner in Foley’s Finance Practice and Venture and Growth Capital Practice, hosted the event, along with Jennifer Lucas, a Senior Director at BNY Mellon Wealth Management.

The event, which drew an audience of nearly 150 business executives, entrepreneurs, investors, and lawyers, treated the attendees to a series of panel discussions, a keynote address by Pamela Netzky, co-founder and former president of SkinnyPop Popcorn, a buffet lunch, and several networking opportunities.

The program opened with a Q & A with three entrepreneurs who either founded or played a critical role in several successful startups: Daniel Berg, currently chief technology officer at JumpCloud, a cloud-based directory-as-a-service provider; Randi Brill, now chief creative officer and lab guru at QuaraCORE, a Chicago creative design agency; and Scott Wald, founder and president of Romar Services, a private family office and investment firm.

The three panelists fielded questions on a variety of subjects, including what the allure of being a serial entrepreneur is, what they learned from their biggest mistakes and/or failures, how much planning they put into their exit strategies, and what words of wisdom they have for those who wish to follow in their footsteps.

The opening session was followed by several breakout sessions, including one focused on building a great team. Panelists included Danielle Drabkin, managing partner of Chicago-based technology startup The Minte, a hotel-style housekeeping service; Stuart Frankel, co-founder and CEO of Narrative Science, a Chicago-based technology company; and Peter Rahal, co-founder and CEO of natural protein bar maker RXBAR.

They discussed, among other things, what sort of attributes they look for in the people they hire, how to build a more cohesive team, how to motivate and reward valued employees, and how to manage conflict.

Retrum opened the session by noting that there are now more connected devices in the world – an estimated eight billion – than there are people. And that number is expected to rise to one trillion in the next five years.

He also demonstrated how vulnerable such technology can be to cyberattack by recounting the case of the Las Vegas casino that was hacked last year through the Internet-connected thermometer in the aquarium in its lobby. Once there, the hackers managed to access the casino’s database of high-roller gamblers.

The ½ day conference ended with a keynote address by Netzky, who told the unlikely story of how she and SkinnyPop co-founder, Andy Friedman, turned one man’s obsession with Chicago-based tourist favorite Garrett’s popcorn (Friedman’s father) into one of the world’s largest and fastest growing “better for you” snack food brands.

Netzky attributed the phenomenal success of SkinnyPop, which is now sold in more than 50,000 stores throughout North America and Europe, to being in the right place at the right time with the right product.

“I can’t tell you enough how grateful I am to have been on this crazy rocket ship,” she said. “It’s been the experience of a lifetime.”